Hit MOZ_CRASH(Invalid vartype) at js/src/asmjs/AsmJS.cpp:1101

RESOLVED FIXED in Firefox 52

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: sunfish)

Tracking

(Blocks: 1 bug, {crash, jsbugmon, testcase})

Trunk
mozilla52
x86_64
Mac OS X
crash, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox52 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision f7d5008ee2ab (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

f = (function(stdlib, foreign, heap) {
    "use asm";
    function f() {
        1,
        1 / 0
    }, new SharedArrayBuffer(4096)
);


Backtrace:

0   js-dbg-64-dm-clang-darwin-f7d5008ee2ab	0x0000000103c848fa CheckExpr((anonymous namespace)::FunctionValidator&, js::frontend::ParseNode*, Type*) + 9066 (AsmJS.cpp:1101)
1   js-dbg-64-dm-clang-darwin-f7d5008ee2ab	0x0000000103c80dad CheckAsExprStatement((anonymous namespace)::FunctionValidator&, js::frontend::ParseNode*) + 61 (AsmJS.cpp:6379)
2   js-dbg-64-dm-clang-darwin-f7d5008ee2ab	0x0000000103c7b6c1 CheckStatement((anonymous namespace)::FunctionValidator&, js::frontend::ParseNode*) + 209 (AsmJS.cpp:6397)
3   js-dbg-64-dm-clang-darwin-f7d5008ee2ab	0x0000000103c6c5bb CheckFunctions(ModuleValidator&) + 4635 (AsmJS.cpp:7086)
4   js-dbg-64-dm-clang-darwin-f7d5008ee2ab	0x0000000103c474d8 CheckModule(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, unsigned int*) + 5272 (AsmJS.cpp:7337)
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

2 years ago
Created attachment 8796355 [details]
Detailed Crash Information
(Reporter)

Comment 2

2 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/958074f3b830
user:        Dan Gohman
date:        Fri Sep 23 09:13:15 2016 -0500
summary:     Bug 1287220 - Baldr: update to binary version 0xc (r=luke)

Dan, is bug 1287220 a likely regressor?
Blocks: 1287220
Flags: needinfo?(sunfish)
(Assignee)

Comment 3

2 years ago
Yes.
Assignee: nobody → sunfish
Flags: needinfo?(sunfish)
(Assignee)

Comment 4

2 years ago
Created attachment 8796361 [details] [diff] [review]
wasm-asmjs-block-signature.patch

This adds a new method for converting from asm.js Type to wasm::ExprType that handles non-canonical types, for the purpose of computing block signatures.
Attachment #8796361 - Flags: review?(luke)

Comment 5

2 years ago
Comment on attachment 8796361 [details] [diff] [review]
wasm-asmjs-block-signature.patch

Review of attachment 8796361 [details] [diff] [review]:
-----------------------------------------------------------------

Nice and explicit.
Attachment #8796361 - Flags: review?(luke) → review+

Comment 6

2 years ago
Pushed by dgohman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1a61d8bf5b3d
OdinMonkey: Don't require canonicalizable types when computing block signatures. r=luke

Comment 7

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/1a61d8bf5b3d
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox52: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.